Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index bdf78b7..10eb1a9 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -24,6 +24,8 @@
#include <base/logging.h>
#include <string.h>
+#include <log/log.h>
+
#include "avrc_api.h"
#include "avrc_int.h"
#include "bt_common.h"
@@ -663,6 +665,13 @@
msg.browse.browse_len = p_pkt->len;
msg.browse.p_browse_pkt = p_pkt;
} else {
+ if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+ android_errorWriteLog(0x534e4554, "111803925");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+ osi_free(p_pkt);
+ return;
+ }
msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -696,6 +705,15 @@
p_drop_msg = "auto respond";
} else {
/* parse response */
+ if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = true;
+ p_drop_msg = "UNIT_INFO_RSP too short";
+ break;
+ }
p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
msg.unit.unit_type =
(*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -725,6 +743,15 @@
p_drop_msg = "auto responded";
} else {
/* parse response */
+ if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = true;
+ p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+ break;
+ }
p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
msg.sub.page =
(*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;